CreateSession can generate invalid session ids

The recent security patches for the AJAX viewer imposed the following pattern restriction on MapGuide session ids:

00000000-0000-0000-0000-000000000000_aa_00000000000000000000

The "aa" component is the locale when the CREATESESSION mapagent call is made. However if a custom LOCALE parameter is passed which is not 2 characters (eg. en-US), then that is actually incorporated into the generated session id itself, making it unusable when it is passed to the AJAX viewer.